diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 09d7e22c546..0ce2a1be5ab 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -69,4 +69,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 923f53581e2..0ab0b8d8645 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -3,6 +3,7 @@ on: [pull_request] permissions: contents: read + pull-requests: write jobs: dependency-review: @@ -11,7 +12,7 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v4 - name: 'Dependency Review' - uses: actions/dependency-review-action@v3 + uses: actions/dependency-review-action@v4 with: allow-licenses: AGPL-3.0-only, LGPL-3.0, MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, X11, 0BSD, GPL-3.0, Unlicense, CC0-1.0 # temporarily ignore dependency error sprintf-js 1.0.3, remove when it gets upgraded to 1.1.3 diff --git a/.github/workflows/migrations.yml b/.github/workflows/migrations.yml index 070974741cc..f1b7e2ea84d 100644 --- a/.github/workflows/migrations.yml +++ b/.github/workflows/migrations.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: mongodb setup - uses: supercharge/mongodb-github-action@1.8.0 + uses: supercharge/mongodb-github-action@1.10.0 - name: setup uses: actions/setup-node@v4 with: diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index a7435d1cde9..32a20eac108 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -34,7 +34,7 @@ jobs: fetch-depth: 0 - name: Login to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -122,13 +122,18 @@ jobs: - name: Extract branch meta shell: bash id: extract_branch_meta + env: + PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + BRANCH_REF_NAME: ${{ github.ref_name}} + BRANCH_SHA: ${{ github.sha }} run: | if [ "${{ github.event_name }}" == 'pull_request' ]; then - echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT - echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT + echo "branch=$PR_HEAD_REF" >> $GITHUB_OUTPUT + echo "sha=$PR_HEAD_SHA" >> $GITHUB_OUTPUT else - echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT - echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT + echo "branch=$BRANCH_REF_NAME" >> $GITHUB_OUTPUT + echo "sha=$BRANCH_SHA" >> $GITHUB_OUTPUT fi deploy: @@ -167,7 +172,7 @@ jobs: security-events: write steps: - name: run trivy vulnerability scanner - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 + uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9 with: image-ref: 'ghcr.io/${{ github.repository }}:${{ needs.branch_meta.outputs.sha }}' format: 'sarif' @@ -176,7 +181,7 @@ jobs: ignore-unfixed: true - name: upload trivy results if: ${{ always() }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 6089c0739a1..cf78afaff0e 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -26,13 +26,13 @@ jobs: type=semver,pattern={{major}}.{{minor}} - name: Log into docker registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Log into quay registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} @@ -81,7 +81,7 @@ jobs: contents: write steps: - name: create sbom - uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 + uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9 with: scan-type: 'image' format: 'cyclonedx' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5aaa8567005..a901c3704a6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,7 +25,7 @@ jobs: with: node-version: ${{ env.NODE_VERSION }} - name: Start MongoDB - uses: supercharge/mongodb-github-action@1.8.0 + uses: supercharge/mongodb-github-action@1.10.0 with: mongodb-version: ${{ env.MONGODB_VERSION }} - name: environment setup @@ -39,7 +39,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - shard: [1, 2, 3, 4] + shard: [1, 2, 3, 4, 5, 6, 7, 8] services: rabbitmq: image: rabbitmq:3 @@ -53,20 +53,20 @@ jobs: with: node-version: ${{ env.NODE_VERSION }} - name: Start MongoDB - uses: supercharge/mongodb-github-action@1.8.0 + uses: supercharge/mongodb-github-action@1.10.0 with: mongodb-version: ${{ env.MONGODB_VERSION }} - name: npm ci run: npm ci --prefer-offline --no-audit - name: nest:test:cov - test all with coverage - timeout-minutes: 25 + timeout-minutes: 11 run: export RUN_WITHOUT_JEST_COVERAGE='true' && export NODE_OPTIONS='--max_old_space_size=4096' && ./node_modules/.bin/jest --shard=${{ matrix.shard }}/${{ strategy.job-total }} --coverage --force-exit - name: save-coverage run: mv coverage/lcov.info coverage/${{matrix.shard}}.info - name: "upload-artifacts" - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: - name: coverage-artifacts + name: coverage-artifacts-${{ matrix.shard }} path: coverage/ sonarcloud: name: SonarCloud coverage @@ -76,15 +76,16 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 with: - name: coverage-artifacts + pattern: coverage-artifacts-* path: coverage + merge-multiple: true - name: Merge Code Coverage run: | sudo apt-get install -y lcov find coverage -name *.info -exec echo -a {} \; | xargs lcov -o merged-lcov.info - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: distribution: 'temurin' java-version: '17' diff --git a/.github/workflows/test_unstable_e2e.yml b/.github/workflows/test_unstable_e2e.yml index 89c613dc022..a3f64e4de8e 100644 --- a/.github/workflows/test_unstable_e2e.yml +++ b/.github/workflows/test_unstable_e2e.yml @@ -38,7 +38,7 @@ jobs: SECRET_ES_MERLIN_PW: ${{ secrets.SECRET_ES_MERLIN_PW }} DOCKER_ID: ${{ secrets.DOCKER_ID }} MY_DOCKER_PASSWORD: ${{ secrets.MY_DOCKER_PASSWORD }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 name: upload results if: always() with: diff --git a/ansible/roles/schulcloud-server-core/templates/api-files-ingress.yml.j2 b/ansible/roles/schulcloud-server-core/templates/api-files-ingress.yml.j2 index fe377635efd..fd48f0686db 100644 --- a/ansible/roles/schulcloud-server-core/templates/api-files-ingress.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/api-files-ingress.yml.j2 @@ -4,7 +4,7 @@ metadata: name: {{ NAMESPACE }}-api-files-ingress namespace: {{ NAMESPACE }} annotations: - nginx.ingress.kubernetes.io/ssl-redirect: "{{ TLS_ENABELD|default("false") }}" + nginx.ingress.kubernetes.io/ssl-redirect: "{{ TLS_ENABLED|default("false") }}" nginx.ingress.kubernetes.io/proxy-body-size: "{{ INGRESS_MAX_BODY_SIZE|default("2560") }}m" nginx.org/client-max-body-size: "{{ INGRESS_MAX_BODY_SIZE|default("2560") }}m" # The following properties added with BC-3606. @@ -21,7 +21,7 @@ metadata: spec: ingressClassName: {{ INGRESS_CLASS }} -{% if CLUSTER_ISSUER is defined or (TLS_ENABELD is defined and TLS_ENABELD|bool) %} +{% if CLUSTER_ISSUER is defined or (TLS_ENABLED is defined and TLS_ENABLED|bool) %} tls: - hosts: - {{ DOMAIN }} diff --git a/ansible/roles/schulcloud-server-core/templates/ingress.yml.j2 b/ansible/roles/schulcloud-server-core/templates/ingress.yml.j2 index 86588e74b47..67ef7f7a6fb 100644 --- a/ansible/roles/schulcloud-server-core/templates/ingress.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/ingress.yml.j2 @@ -4,7 +4,7 @@ metadata: name: {{ NAMESPACE }}-api-ingress namespace: {{ NAMESPACE }} annotations: - nginx.ingress.kubernetes.io/ssl-redirect: "{{ TLS_ENABELD|default("false") }}" + nginx.ingress.kubernetes.io/ssl-redirect: "{{ TLS_ENABLED|default("false") }}" nginx.ingress.kubernetes.io/proxy-body-size: "{{ INGRESS_MAX_BODY_SIZE|default("2560") }}m" nginx.org/client-max-body-size: "{{ INGRESS_MAX_BODY_SIZE|default("2560") }}m" # The following properties added with BC-3606. @@ -20,7 +20,7 @@ metadata: spec: ingressClassName: {{ INGRESS_CLASS }} -{% if CLUSTER_ISSUER is defined or (TLS_ENABELD is defined and TLS_ENABELD|bool) %} +{% if CLUSTER_ISSUER is defined or (TLS_ENABLED is defined and TLS_ENABLED|bool) %} tls: - hosts: - {{ DOMAIN }} diff --git a/ansible/roles/schulcloud-server-core/templates/tldraw-ingress.yml.j2 b/ansible/roles/schulcloud-server-core/templates/tldraw-ingress.yml.j2 index 37b476e0834..51108642131 100644 --- a/ansible/roles/schulcloud-server-core/templates/tldraw-ingress.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/tldraw-ingress.yml.j2 @@ -21,7 +21,7 @@ metadata: spec: ingressClassName: {{ INGRESS_CLASS }} -{% if CLUSTER_ISSUER is defined or (TLS_ENABELD is defined and TLS_ENABELD|bool) %} +{% if CLUSTER_ISSUER is defined or (TLS_ENABLED is defined and TLS_ENABLED|bool) %} tls: - hosts: - {{ DOMAIN }} diff --git a/ansible/roles/schulcloud-server-h5p-proxy/templates/api-h5p-proxy-ingress.yml.j2 b/ansible/roles/schulcloud-server-h5p-proxy/templates/api-h5p-proxy-ingress.yml.j2 index 7ccc8cd1036..fc3583650d8 100644 --- a/ansible/roles/schulcloud-server-h5p-proxy/templates/api-h5p-proxy-ingress.yml.j2 +++ b/ansible/roles/schulcloud-server-h5p-proxy/templates/api-h5p-proxy-ingress.yml.j2 @@ -4,7 +4,7 @@ metadata: name: {{ NAMESPACE }}-api-h5p-proxy-ingress namespace: {{ NAMESPACE }} annotations: - nginx.ingress.kubernetes.io/ssl-redirect: "{{ TLS_ENABELD|default("false") }}" + nginx.ingress.kubernetes.io/ssl-redirect: "{{ TLS_ENABLED|default("false") }}" nginx.ingress.kubernetes.io/proxy-body-size: "{{ INGRESS_MAX_BODY_SIZE|default("2560") }}m" nginx.org/client-max-body-size: "{{ INGRESS_MAX_BODY_SIZE|default("2560") }}m" # The following properties added with BC-3606. @@ -20,7 +20,7 @@ metadata: spec: ingressClassName: {{ INGRESS_CLASS }} -{% if CLUSTER_ISSUER is defined or (TLS_ENABELD is defined and TLS_ENABELD|bool) %} +{% if CLUSTER_ISSUER is defined or (TLS_ENABLED is defined and TLS_ENABLED|bool) %} tls: - hosts: - {{ DOMAIN }}